Reports Surface of Almost 5 million Gmail Accounts With Passwords Exposed

Reports Surface of Almost 5 million Gmail Accounts With Passwords Exposed

by Pete Daniel on 12 September 2014 · 2797 views

Reports have surfaced that hackers located in Russian have managed to obtain crucial information in order to allow the infiltration of up to 4.93 million Google accounts. This includes the email IDs and selected passwords to access Gmail which also grants access to many other Google products like YouTube, Maps, Plus and the Google Account where master settings can be adjusted too.

2 large Reports Surface of Almost 5 million Gmail Accounts With Passwords Exposed

The hacking information surfaced following a post by user “Tvskit” on Btcsec.com, a BitCoin forum. The poster stated that as many as 60 percent of the obtained passwords were still valid and the accounts were still active.

A file which was not password protected and can be opened by everyone was posted on the forum which allows visitors to download a 7z archive of the hacked accounts. An inspection of this file clearly shows that the users are a mix of English-speaking, Spanish-speaking and Russian-speaking people.

Google Security

Google has been active with security for years now. Just in the last 3 years they've paid out more than $2 million in rewards for security findings. They're fixed over 2,000 bugs as well. With regard to this specific issue, Google felt that they did not have a breach in their systems.

1 full Reports Surface of Almost 5 million Gmail Accounts With Passwords Exposed

Credential information can be obtained by hackers through a variety of other methods. People often use the same password or the same email or username on other sites. Sometimes for all sites they still use the same credentials because they're the easiest to remember. Malware or phishing approaches can also be used to try to obtain login information from users.

Password Manager

They'd be better using LastPass or some other password utility which can not only remember passwords, but it can create cryptographically strong passwords for you as well. 

Checking If You Have a Breach In Security

There is the option to check whether one of your Google accounts is in the list. An unofficial web site page has appeared to verify this. It is possible to roughly check your email address by adding three asterisks in place of three of the characters in your full email address to protect privacy.

The source of this site is not well known, so it's unclear if this is a good way to check if your account details may have been given away in this message board post.

For this reason, it is best to change your password on any Google accounts that you may be worried about. It is also worth considering turning on two-factor authentication.

Update: A much better alternative site to check if your Google email is on that list is https://www.dashlane.com/googlebreach. Dashlane is a reputable passwords manager, which we compared to LastPass as well in our article LastPass vs Dashlane - Comparing the Top Password Managers. Thank you for the tip Toshi.

Two-Factor Authentication

It is perfectly possible for Google users to turn on two-factor authentication by linking their phone number to their Google account. This way, a unique 6-digit code is SMS texted to you to add to your account to confirm it. Once this is done, the phone can receive urgent messages if someone else is trying to use your email and password to try to access any of your Google account.

This system works with “dumb” phones as well as smart ones too, so it's not necessary to have an iOS, Android or Windows Phone in order to take advantage of two factor authentication. A number of prominent sites now offer this additional layer of security.

Beyond Two Factor Authentication

Google is also known to be quite active with active security measures. If someone is trying to access your Google account from a location that Google knows that you're not living in, they will likely block this attempt and email you a notification with details of where the other access attempt took place.

With logged in accounts and the tracing of IP addresses and GPS coordinates, it is possible for Google servers to know where you are located at any given time. Because of this, someone attempting to login from half-way around the world tends to get their attention, sets of alarm bells and the access is typically blocked as a result.

One upside of Google knowing where you are..

Comments (1)
toshi on 14 Sep 2014
Someone can check whether his Google account is included in the list of the stolen password's through this tool that Dashlane created just for this security breach:
https://www.dashlane.com/googlebreach
Featured Articles